dimuthnc
commented
1 year ago PAR Request
When you are using Pushed Authorisation, you should construct the request as shown below.
POST 'https://localhost:9446/api/openbanking/push-authorization/par' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'request=<JWT_ENCODED_REQUEST_OBJECT>' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=<JWT_ENCODED_CLIENT_ASSERTION_TYPE>'
Request Object
Format for the JWT Encoded Request Object
This is same as the Request object of usual authorization request. This should be encoded into a JWT using the signing certificate of the client application.
{
"max_age": 86400,
"aud": "<TOKEN_ENDPOINT>",
"scope": "accounts openid",
"iss": "<CLIENT_ID",
"claims": {
"id_token": {
"acr": {
"values": [
"urn:openbanking:psd2:sca",
"urn:openbanking:psd2:ca"
],
"essential": true
},
"openbanking_intent_id": {
"value": "<CONSENT_ID>",
"essential": true
}
},
"userinfo": {
"openbanking_intent_id": {
"value": "<CONSENT_ID>",
"essential": true
}
}
},
"response_type": "code id_token",
"redirect_uri": "<REDIRECT_URL>",
"state": "<STATE_VALUE>",
"nonce": "<NONCE_VALUE>",
"client_id": "<CLIENT_ID>"
}Sample Payload without encryption
{
"max_age": 86400,
"aud": "https://localhost:9446/oauth2/token",
"scope": "accounts openid",
"iss": "jpUXO8Lrxu0xcZpdUKtb4JMnBHYa",
"claims": {
"id_token": {
"acr": {
"values": [
"urn:openbanking:psd2:sca",
"urn:openbanking:psd2:ca"
],
"essential": true
},
"openbanking_intent_id": {
"value": "42dc08cf-7d96-41bf-98b9-197e97cd9598",
"essential": true
}
},
"userinfo": {
"openbanking_intent_id": {
"value": "42dc08cf-7d96-41bf-98b9-197e97cd9598",
"essential": true
}
}
},
"response_type": "code id_token",
"redirect_uri": "https://www.google.com/redirects/redirect1",
"state": "YWlzcDozMTQ2",
"nonce": "n-0S6_WzA2Mj",
"client_id": "jpUXO8Lrxu0xcZpdUKtb4JMnBHYa"
}Sample Payload after encryption
eyJraWQiOiJ3N05GZU1PRHpDTU9aZW5fV0VDQWxHOU44Z2ciLCJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJtYXhfYWdlIjo4NjQwMCwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0Ni9vYXV0aDIvdG9rZW4iLCJzY29wZSI6ImFjY291bnRzIG9wZW5pZCIsImlzcyI6ImpwVVhPOExyeHUweGNacGRVS3RiNEpNbkJIWWEiLCJjbGFpbXMiOnsiaWRfdG9rZW4iOnsiYWNyIjp7InZhbHVlcyI6WyJ1cm46b3BlbmJhbmtpbmc6cHNkMjpzY2EiLCJ1cm46b3BlbmJhbmtpbmc6cHNkMjpjYSJdLCJlc3NlbnRpYWwiOnRydWV9LCJvcGVuYmFua2luZ19pbnRlbnRfaWQiOnsidmFsdWUiOiI0MmRjMDhjZi03ZDk2LTQxYmYtOThiOS0xOTdlOTdjZDk1OTgiLCJlc3NlbnRpYWwiOnRydWV9fSwidXNlcmluZm8iOnsib3BlbmJhbmtpbmdfaW50ZW50X2lkIjp7InZhbHVlIjoiNDJkYzA4Y2YtN2Q5Ni00MWJmLTk4YjktMTk3ZTk3Y2Q5NTk4IiwiZXNzZW50aWFsIjp0cnVlfX19LCJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vd3d3Lmdvb2dsZS5jb20vcmVkaXJlY3RzL3JlZGlyZWN0MSIsInN0YXRlIjoiWVdsemNEb3pNVFEyIiwibm9uY2UiOiJuLTBTNl9XekEyTWoiLCJjbGllbnRfaWQiOiJqcFVYTzhMcnh1MHhjWnBkVUt0YjRKTW5CSFlhIn0.B5R5AmUchqKrOM2W7S-qrKvuv10SdhnC2UR1nQk8s3arH_Lx3CqgF0JqZv4u42F1rnyLB4-UvID9QNv3Vm1-5sU7jEwct9-QJFukYlnbOccy-5dipv1zQ15F60VDU4nan2fo9Z696GPqYIk1UogcAAKY-A0mdVWgMn6C8tLAr0XccoXvM6wyckTqGczCMgyDPYDCJjNunuGBwHEBigbBgICdDR08NxPI4SLHr8xmTI0un6hmyMhF-VwEKfnrzkwnM_V3gX1xpWNwpzwHy22RrR9k0Iyc-z4nggeDK82e1uDttpNhuKyyiR42ekFMNFQohCjx4FZ9BF1DLPzCJT5AiAClient Assertion
Format of the Client Assertion
This should also be encoded into a JWT using the signing certificate of the client application.
{
"sub": "<CLIENT_ID>",
"aud": "<AUDIENCE_VALUE>",
"iss": "<CLIENT_ID>",
"exp": <EXP_CLAIM>,
"iat": <ISSUED_AT_CLAIM>,
"jti": "<JTI_VALUE>"
}Sample Client Assertion without encryption
{
"sub": "jpUXO8Lrxu0xcZpdUKtb4JMnBHYa",
"aud": "https://localhost:9446/oauth2/token",
"iss": "jpUXO8Lrxu0xcZpdUKtb4JMnBHYa",
"exp": 1686049966,
"iat": 1681521168,
"jti": "28"
}Sample Client Assertion after encryption
eyJraWQiOiJ3N05GZU1PRHpDTU9aZW5fV0VDQWxHOU44Z2ciLCJhbGciOiJQUzI1NiJ9.eyJzdWIiOiJqcFVYTzhMcnh1MHhjWnBkVUt0YjRKTW5CSFlhIiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0Ni9vYXV0aDIvdG9rZW4iLCJpc3MiOiJqcFVYTzhMcnh1MHhjWnBkVUt0YjRKTW5CSFlhIiwiZXhwIjoxNjg2MDQ5OTY2LCJpYXQiOjE2ODE1MjExNjgsImp0aSI6IjI4In0.I7AjMzRhwJuXEShSbF3J1icRvtsyMTdnxGRGNOUXAkkYREz4TRCPtUS7go8tAIGQwynkLiofPk2JTv1epRBP51KDr7adxTIrDB8mpU33te8oPPdIwQZy6MbYk9_h5oGUjvwHjkcvylnwxDRwT52aw1xqd5T0Q9R_YbB5VY9_DCJL-pjzY6uCZ5Ans72gxPTpAL8wLOuz6xPBhT5oMp6IqYtIgxOcU_9ucsuSm5FkvX0ch4JzJRKHEKQ5V8t_iSQ8vzA0X3zeSTQzMy6k5GXfWF3N6rJHjm21JFrAHid3Nd5tzTP_1hysjLTFU0d25YeV7puIu6zOLQpRJH5kG1IP0wOnce the request is sent, server will respond with a payload like below.
{
"request_uri": "urn:ietf:params:oauth:request_uri:bwc4JK-ESC0w8acc191e-Y1LTC2",
"expires_in": 60
}Now you can use this request_uri parameter to initiate a authorisation request as below.
curl --location 'https://localhost:9446/oauth2/authorize?
response_type=code%2520id_token&
client_id=<CLIENT_ID>&
scope=accounts%20openid&
state=<STATE_PARAMTER>&
nonce=<NONCE_PARAMTER>&
request_uri=<RECEIVED_REQUEST_URI>'For example, below is a such valid authorisation request
curl --location 'https://localhost:9446/oauth2/authorize?response_type=code%2520id_token&client_id=jpUXO8Lrxu0xcZpdUKtb4JMnBHYa&scope=accounts%20openid&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&request_uri=urn%3Aietf%3Aparams%3Aoauth%3Arequest_uri%3AoUSSmDfUSNHUxRop8KBdwd84J4PyCm1B'You will now be redirected into authentication and authorisation, if the request parameters are valid.
Affected OB version:
OB300
Existing pages to be updated:
https://ob.docs.wso2.com/en/latest/learn/consent-authorization-intro/
Description (Optional):
Created the issue based on @dimuthnc's suggestion to add more content to the PAR endpoint doc. Need to add more information to the above page/Add the info as a new page
Instructions:
References:
PAR documentation in OB200 - https://docs.wso2.com/display/OB200/Pushed+Authorisation+Endpoint
Labels: